TRACK: Security

Monday, July 19, 2010 — 2.00 - 5.30
Tuesday, July 20, 2010 — 2.00 - 5.00

2:00 - 2:45 Security for the Physical-Meets-Digital World Many organizations, including but certainly not limited to IBM, are talking about building a Smarter Planet. This involved instrumenting the many real world systems in place, ranging from transportation systems to buildings to water systems and smart electrical grids. Then, it is proposed to interconnect these systems, to produce intelligence, which will enable smarter decision making and improve our ability to manage our environment better. Security isn't necessarily the first thing thought about when companies and organizations embark on these journeys but it rapidly becomes a key consideration. Even initial consideration of the problems involved tell us that interconnecting the physical world to the digital world of IT brings challenges which are new to most security architects. It also introduces new standards and protocols which must be considered, many of which don't align with one another. This session, by members of the Advanced Technology Team in IBM Software Group's Industry Solutions Development organization, will bring the experience of analyzing risk and threats and then developing security solutions for the physical-meets-digital world, where the architect must deal with devices "in the wild", potential safety-critical security concerns, along with multiple new, competing and conflicting protocols and standards. The session will offer approaches to constructing more secure solutions, based on these experiences, along with suggestions as to how The Open Group Security Forum can participate in this area and help lead the industry to more secure outcomes. Peter Coldicott, Distinguished Engineer, leading the Advanced Technology Team, IBM Peter Coldicott is an IBM Distinguished Engineer, leading the Advanced Technology Team in IBM Software Group's Industry Solutions Development.   His team focuses on complex product architecture issues for cross-IBM industry solutions, including product development in support of many parts of IBM's Smarter Planet (www.ibm.com/smarterplanet).   Peter is a member of the IBM Academy of Technology and leads one of IBM's teams focussed on patenting and asset development.  Tony Carrato, Executive IT Architect, Advanced Technology Team, IBM Tony Carrato is an IBM Executive IT Architect and part of the Advanced Technology Team in IBM Software Group's Industry Solutions Development, working on product architectures, including security architectures for IBM Smarter Planet products and solutions.  He is an Open Group Certified Distinguished IT Architect, active member of the Security Forum, as well as former co-chair of and current steering committee member of the SOA Work Group.

2:45 - 3:30 Security in the Smart Critical Infrastructure Ecosystem Across the globe critical infrastructure components like real estate, transportation, healthcare, education, government administration, public safety, and utilities are becoming smarter and interconnected. For instance, enormous stimulus funds are being poured into modernizing utility and healthcare infrastructure in the form of smart grid and EMR. The modernization of these infrastructure components creates critical security and risk threats. As systems increasingly rely on information and communication technologies, they are vulnerable to denial-of-service, man-in-the-middle, and cyber attacks along with other risks that need to identified and mitigated. A comprehensive security and risk architecture is needed to get around vulnerabilities including cyber security and Critical Infrastructure Protection. Usman Sindhu, Researcher, Forrester Usman serves Security & Risk professionals. His research and client engagement focus on challenges and solutions around network access control (NAC). He advises organizations about their NAC strategy and pitfalls to avoid. Moreover, his research has focused on expanding definition of NAC that touches on broader use cases for organizations. He speaks with clients about developing a standard-based NAC strategy that alleviates operational cumbersome and eases deployment issues. His current research area includes smart critical infrastructure security (smart grid, government services, transportation, healthcare, education, and public safety) and its link to critical infrastructure protection (CIP) and cyber security.

3.30 - 4.00 Break

4:00 - 4:30 Mission Assurance and the Art of Cyber Defense The US government and private sectors continue to acquire new IT capabilities for information and competitive advantage. As a result, our national security and critical infrastructure sectors have become increasingly dependent on information systems whose pedigree is uncertain given the globalization of the supply chain. At the same time, potential adversaries acquire ever-increasingly advanced and adaptive techniques to attack computer networks and disrupt operations, making it impossible to fully understand the threat or defend against it completely. While we must continue to raise the bar to protect mission critical systems from these threats by implementing best security practices, the current philosophy of trying to keep the adversaries out, or the assumption that they will be detected if they get through the first line of defense, is no longer valid. Given the sophistication, adaptiveness, and persistence of the advanced threats, we can no longer assume that we can completely defend against intruders and must change our mindset to assume some degree of adversary success and be prepared to continue to operate while under cyber attack to ensure business success even in a degraded or contested environment. This talk will focus on actionable recommendations for addressing the advanced cyber threat and enabling mission assurance. Harriet Goldman, Director, Cyber Mission Assurance, The MITRE Corporation As Director of Cyber Mission Assurance, Harriet G. Goldman serves as the corporate focal point for Mission Assurance in support of MITRE’s Department of Defense and Intelligence customers. She is responsible for directing Mission Assurance Against Advanced Cyber Threats initiative to raise awareness of the advanced cyber threat across government and industry and to develop strategies, technologies and processes to address customer cyber security and mission assurance needs. Previously, she was the Chief Technologist for Information Security where she directed and developed MITRE’s information security technology portfolio. She also served as Director of Integration for Information Security to ensure secure, integrated and interoperable solutions across MITRE’s customer programs. Ms Goldman returned to MITRE after 10 years in private industry following her previous 16-year tenure at MITRE. As Vice President at Hitachi’s Quadrasis, she directed information security consulting engagements for Fortune 100 companies and the development of security middleware that enabled heterogeneous security solutions to interoperate seamlessly. Previously she was a founding member and Vice President at Concept Five Technologies, where she spearheaded the development of a consulting practice to assist CIOs in implementing secure, Internet-based business and customer relationship management solutions.

4:30 - 5:30 Panel: CyberSecurity and CyberRisk: OK, Now What Do We Do About It? Panelists:- Usman Sindhu, Researcher, Forrester Larry Clinton, President, Internet Security Alliance Harriet Goldman, Director, Cyber Mission Assurance, The MITRE Corporation Tony Carrato, Executive IT Architect, Advanced Technology Team, IBM Steve Whitlock, Chief Security Architect, Boeing

Tuesday, July 20

2:00 - 2:45 A Revolution in Security: ISM evolution with ISM3 The Open Group is developing a new ISMS standard. ISM3 reveals the hidden links between security and the business, enabling communication and killing FUD. ISMS now can use ISM3's process-oriented continuous improvement, taking security contributions beyond mere compliance. Vicente Aceituno, CEO, ISM3 Consortium Vincente is an experienced Information Security Manager and Consultant with broad experience in outsourcing of security services and research. His focus is on information security outsourcing, management and related fields like metrics and certification of ISMS. See http://www.ism3.com for details on research (CMM, ITIL, etc). Leader of the Information Security Management Method ISM3 (Information Security Management Maturity Model) President of the Spanish chapter of the Information Security Systems Association Ingeniero Técnico en Telecomunicaciones (Universidad Politécnica de Madrid) Book published: “Seguridad de la Información”, ISBN: 84-933336-7-0

2:45 - 3:30 Cybersecurity - A fine grained multi-tiered containment strategy This presentation discusses the unique features of today's cyber infrastructures and outlines the threats facing government enterprises. It then describes IBM's holistic approach to security and how it provides a multitiered containment strategy that addresses information assurance; federated security management; operational systems management; governance,compliance, and risk management; and situational awareness. Audience: security, architects, government and critical infrastructure Key takeaways: Propose a model for cybersecurity protection Understand how to apply the model Application to critical infrastructure and cloud based environments Andras Szakal, Director Software Architecture, IBM US Federal Software Group Mr. Szakal is an IBM Distinguished Engineer and Chief Architect of IBM's Federal Software business unit. He is also an IBM Senior Certified Software IT Architect and an IBM Certified SOA Solution Designer. His responsibilities include developing e-Government software architectures using IBM middleware and leading the IBM federal government software IT architect team. Mr. Szakal holds undergraduate degrees in Biology and Computer Science and a Masters Degree in Computer Science from James Madison University. Mr. Szakal has been a driving force behind IBM's adoption of government IT standards and is a member of the IBM Software Group Strategy Team. The team he leads has been responsible for helping the federal government move e-Government into the On-Demand era through the application of SOA. His team has been directly involved with multiple, high-profile, successful government software and services engagements based on open standards and open source. Mr. Szakal represents IBM SWG on the Board of Directors of The Open Group. He currently holds the Chair of the IT Architect Profession Certification Standard (ITAC) within the Open Group.

3.30 - 4.00 Break

4:00 - 4:45 Use of the Cloud Security Alliance Control Matrix to Support IT Governance Cloud Security Alliance control matrix - this presentation will discuss proper interpretation of the 98 control framework and explain how the existing control definitions can be used to attest to regulatory compliance challenges facing consumers of cloud services. Audience: Cloud Computing Early Adopters and IT Auditors Key takeaways:- How to hold cloud service providers accountable in a standard framework The intended interpretation of 50+ controls descriptions from the author How the controls relate to other control frameworks Marlin Pohlman, Chief Governance Officer/Chair, EMC / Cloud Security Alliance Control Matrix Co-Chair Marlin Pohlman is Chief Governance Officer at EMC and Co-Chair of the Cloud Security Alliance Control Matrix and Assesment Working Group. He holds a Ph.D. in computer science, MBA in thechnology management, holds a CISSP, CISA, CISM, CGEIT & PMP. He has published five texts on regulatory compliance Experience: CSA (RSA confrence), ISACA (multiple confrences), IIA (multiple confrences), CTO councils at Netscape, Sun, Oracle and EMC

4:45 - 5:30 How to Measure & Certify the Cyber Security Assurance Level of Software Source Code This talk will discuss a next generation static analysis tool that is now in development that can automatically measure the level of cyber security assurance in software source code for specific CWE vulnerabilities. The tool can also generate written evidence of this assurance level for certification by third parties. The purpose is to provide a low cost, automated method of measuring and certifying software code for those cyber security CWE classes that can be mathematically defined and measured. This will allow automated, low cost EAL testing by certification labs of the level of cyber security assurance of software code for some CWE classes. This can replace the imprecise manual code review for lower EAL levels or the very expensive manual formal method proving required at the higher EAL levels for these CWE classes. It is anticipated that in the future this will allow the government to adopt stricter cyber security standards for software code used on government network's to substantially lower the threat of cyber attacks. Technical detail of which CWE classes can be measured and how they are measured will be presented as well as the mathematical techniques used to measure compliance. Audience: Government buyers of software products and commercial sellers of software products. Key takeaways: How can the cyber security level of software code be measured & certified Which CWE vulnerability classes can be targeted for automated, low cost measurement How could these measurements be added to protection Richard Barry, CEO, Kestrel Technology LLC Richard Barry has been CEO of Kestrel Technology (KT) since May, 2008. He spent 40+ years in Silicon Valley hi-tech environment both as a venture capitalist and as a co-founder of several hi-tech commercial software application companies. KT is his first experience with government research environment. Previously, all his experience was with developing and marketing commercial products. Prior positions have included CEO/President, VP Marketing and VP Business Development. Richard has raised over $100+ million of venture capital for start up companies. He has also been VP of Wells Fargo Investment Company - the second most sucessful SBIC formed under the SBA (financed early rounds in Intel, Rolm, etc.).

Return to previous page